From 349fec73a90e38cd059bd23267adc687b71a8394 Mon Sep 17 00:00:00 2001 From: Conor <93926445+cmcnally-r7@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:39:01 +0000 Subject: [PATCH] SentinelOne validation checks (#3031) * Fix issue with input validation * Black formatting * Check for whitespace and change version back to 11.1.3 * Fix help.md --- plugins/sentinelone/.CHECKSUM | 8 ++++---- plugins/sentinelone/bin/komand_sentinelone | 2 +- plugins/sentinelone/help.md | 7 ++++--- .../tasks/monitor_logs/schema.py | 4 +--- .../komand_sentinelone/util/helper.py | 20 ++++++++++++++++--- plugins/sentinelone/plugin.spec.yaml | 10 +++++++--- plugins/sentinelone/setup.py | 2 +- 7 files changed, 35 insertions(+), 18 deletions(-) diff --git a/plugins/sentinelone/.CHECKSUM b/plugins/sentinelone/.CHECKSUM index 3896d26d2a..9eb5741585 100644 --- a/plugins/sentinelone/.CHECKSUM +++ b/plugins/sentinelone/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "175814e9d6bf3496067ab005bc81ab74", - "manifest": "bf2f37bb010ec31daf0a4aee3ae45b89", - "setup": "1e8d3387ed4d46dc2171d7ee9c3c4a2c", + "spec": "c6927728c4f69ccd4bfba73202f850ec", + "manifest": "3c7c9830c5936c4ffed6adbaaf12722e", + "setup": "98419c249e2910502c36eb5144487ce4", "schemas": [ { "identifier": "activities_list/schema.py", @@ -129,7 +129,7 @@ }, { "identifier": "monitor_logs/schema.py", - "hash": "6ee7bc26267a2fd719aecccb08ec7f18" + "hash": "90852af2f999f070b9386c3f9cf6f953" }, { "identifier": "get_threats/schema.py", diff --git a/plugins/sentinelone/bin/komand_sentinelone b/plugins/sentinelone/bin/komand_sentinelone index 752ccb6e9d..501c4b181c 100755 --- a/plugins/sentinelone/bin/komand_sentinelone +++ b/plugins/sentinelone/bin/komand_sentinelone @@ -7,7 +7,7 @@ from sys import argv Name = "SentinelOne" Vendor = "rapid7" Version = "11.1.3" -Description = "The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne" +Description = "[SentinelOne](https://www.sentinelone.com/) is a next-gen cybersecurity company focused on protecting the enterprise through the endpoint. The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne.This plugin utilizes the SentinelOne API, the documentation is located in the SentinelOne console" def main(): diff --git a/plugins/sentinelone/help.md b/plugins/sentinelone/help.md index d5895f8533..65a6b1ad01 100644 --- a/plugins/sentinelone/help.md +++ b/plugins/sentinelone/help.md @@ -2,7 +2,7 @@ [SentinelOne](https://www.sentinelone.com/) is a next-gen cybersecurity company focused on protecting the enterprise through the endpoint. The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne. -This plugin utilizes the SentinelOne API, the documentation is located in the SentinelOne console. +This plugin utilizes the SentinelOne API, the documentation is located in the SentinelOne console # Key Features @@ -885,6 +885,7 @@ Example input: | :--- | :--- | :--- | :--- | :--- | |errors|[]object|False|Errors|[]| |events|[]eventData|False|Response events data|[{"accountId": "1000000000000000000", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000000", "agentId": "1000000000000000000", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000000", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000000", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}, {"accountId": "1000000000000000001", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000001", "agentId": "1000000000000000001", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000001", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000001", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}]| + Example output: ``` @@ -1023,7 +1024,7 @@ This action is used to gets summary of all threats |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | |data|[]threatData|False|Data|[{"agentOsType": "windows", "automaticallyResolved": False, "cloudVerdict": "black", "id": "1000000000000000000", "engines": ["reputation"], "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", "fromCloud": False, "mitigationMode": "protect", "mitigationReport": {"quarantine": {"status": "success"}, "kill": {"status": "success"}}, "rank": 7, "siteName": "Example Site", "whiteningOptions": ["hash"], "agentComputerName": "vagrant-pc", "collectionId": "1000000000000000000", "createdAt": "2019-02-21T16:05:49.251201Z", "mitigationStatus": "active", "classificationSource": "Static", "resolved": True, "accountName": "Example Account", "fileVerificationType": "NotSigned", "siteId": "1000000000000000000", "fileIsExecutable": False, "fromScan": False, "agentNetworkStatus": "disconnecting", "createdDate": "2019-02-21T16:05:49.175000Z", "accountId": "1000000000000000000", "initiatedBy": "agentPolicy", "initiatedByDescription": "Agent Policy", "threatAgentVersion": "3.0.1.3", "username": "vagrant-pc\\vagrant", "agentVersion": "3.0.1.3", "classifierName": "STATIC", "fileExtensionType": "Executable", "agentDomain": "WORKGROUP", "fileIsSystem": False, "agentInfected": False, "isCertValid": False, "isInteractiveSession": False, "isPartialStory": False, "updatedAt": "2020-05-28T21:53:36.064425Z", "agentId": "1000000000000000000", "agentMachineType": "desktop", "classification": "Malware", "markedAsBenign": False, "threatName": "EICAR.com", "agentIsDecommissioned": True, "description": "malware detected - not mitigated yet (static engin...", "fileDisplayName": "EICAR.com", "agentIp": "198.51.100.1", "agentIsActive": False, "fileObjectId": "1234567890", "filePath": "\\Device\\HarddiskVolume2\\Users\\vagrant\\Desktop\\EICA...", "maliciousGroupId": "1234567890"}]| -|errors|[]object|False|Errors|[]|', '|data|[]threatData|False|Data|[{"agentOsType": "windows", "automaticallyResolved": False, "cloudVerdict": "black", "id": "1000000000000000000", "engines": ["reputation"], "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", "fromCloud": False, "mitigationMode": "protect", "mitigationReport": {"quarantine": {"status": "success"}, "kill": {"status": "success"}}, "rank": 7, "siteName": "Example Site", "whiteningOptions": ["hash"], "agentComputerName": "vagrant-pc", "collectionId": "1000000000000000000", "createdAt": "2019-02-21T16:05:49.251201Z", "mitigationStatus": "active", "classificationSource": "Static", "resolved": True, "accountName": "Example Account", "fileVerificationType": "NotSigned", "siteId": "1000000000000000000", "fileIsExecutable": False, "fromScan": False, "agentNetworkStatus": "disconnecting", "createdDate": "2019-02-21T16:05:49.175000Z", "accountId": "1000000000000000000", "initiatedBy": "agentPolicy", "initiatedByDescription": "Agent Policy", "threatAgentVersion": "3.0.1.3", "username": "vagrant-pc\\\\vagrant", "agentVersion": "3.0.1.3", "classifierName": "STATIC", "fileExtensionType": "Executable", "agentDomain": "WORKGROUP", "fileIsSystem": False, "agentInfected": False, "isCertValid": False, "isInteractiveSession": False, "isPartialStory": False, "updatedAt": "2020-05-28T21:53:36.064425Z", "agentId": "1000000000000000000", "agentMachineType": "desktop", "classification": "Malware", "markedAsBenign": False, "threatName": "EICAR.com", "agentIsDecommissioned": True, "description": "malware detected - not mitigated yet (static engin...", "fileDisplayName": "EICAR.com", "agentIp": "198.51.100.1", "agentIsActive": False, "fileObjectId": "1234567890", "filePath": "\\\\Device\\\\HarddiskVolume2\\\\Users\\\\vagrant\\\\Desktop\\\\EICA...", "maliciousGroupId": "1234567890"}]| +|errors|[]object|False|Errors|[]| |pagination|pagination|False|Pagination|{'totalItems': 1}| Example output: @@ -2351,7 +2352,7 @@ Example output: # Version History -* 11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities +* 11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities | Fix issue with URL input validation * 11.1.2 - Resolve issue where unexpected timestamps returned from SentinelOne were not parsed in task `Monitor Logs` | Update plugin to be FedRAMP compliant * 11.1.1 - Updated Plugin connection to improve `instance` input usability * 11.1.0 - Added connection test for task `Monitor Logs` | Update SDK diff --git a/plugins/sentinelone/komand_sentinelone/tasks/monitor_logs/schema.py b/plugins/sentinelone/komand_sentinelone/tasks/monitor_logs/schema.py index 3cdfbc0241..86ffe4d536 100644 --- a/plugins/sentinelone/komand_sentinelone/tasks/monitor_logs/schema.py +++ b/plugins/sentinelone/komand_sentinelone/tasks/monitor_logs/schema.py @@ -43,9 +43,7 @@ class MonitorLogsOutput(insightconnect_plugin_runtime.Output): "type": "array", "title": "Logs", "description": "List of activity, device control event, and threat logs within the specified time range", - "items": { - "type": "object" - }, + "items": {}, "definitions": {} } """) diff --git a/plugins/sentinelone/komand_sentinelone/util/helper.py b/plugins/sentinelone/komand_sentinelone/util/helper.py index a62f93257e..babf1f8b47 100755 --- a/plugins/sentinelone/komand_sentinelone/util/helper.py +++ b/plugins/sentinelone/komand_sentinelone/util/helper.py @@ -83,10 +83,24 @@ def _wrapper(self, *args, **kwargs): def format_subdomain(instance: str) -> str: """ - If an input subdomain contains a scheme or the Sentinelone secondlevel domain, strip these values + If an input subdomain contains a scheme or the SentinelOne second-level domain, strip these values """ - instance = instance.replace(".sentinelone.net", "") - return instance.replace("https://", "").replace("http://", "") + + # Remove leading and trailing whitespace + instance = instance.strip() + + # Remove the scheme if it exists + if instance.startswith("http://"): + instance = instance[7:] + elif instance.startswith("https://"): + instance = instance[8:] + + # Remove the SentinelOne domain suffix + if ".sentinelone.net" in instance: + instance = instance.replace(".sentinelone.net", "") + + # Remove any trailing slashes + return instance.rstrip("/") class Helper: diff --git a/plugins/sentinelone/plugin.spec.yaml b/plugins/sentinelone/plugin.spec.yaml index 0b81271221..511415fa0d 100644 --- a/plugins/sentinelone/plugin.spec.yaml +++ b/plugins/sentinelone/plugin.spec.yaml @@ -3,6 +3,7 @@ extension: plugin products: [insightconnect] name: sentinelone title: SentinelOne +description: "[SentinelOne](https://www.sentinelone.com/) is a next-gen cybersecurity company focused on protecting the enterprise through the endpoint. The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne.\n\nThis plugin utilizes the SentinelOne API, the documentation is located in the SentinelOne console" version: 11.1.3 connection_version: 10 cloud_ready: true @@ -12,7 +13,6 @@ sdk: version: 6.2.2 user: nobody supported_versions: ["2.1.0"] -description: The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne vendor: rapid7 support: rapid7 status: [] @@ -43,7 +43,11 @@ references: - "[SentinelOne Product Page](https://www.sentinelone.com/)" requirements: - "SentinelOne API key" -troubleshooting: "* To generate an API key, create a new Service User or select an existing one with adequate permissions from the SentinelOne console\n* To convert `threat` into an array use Type Converter Plugin\n* For the Trigger settings, only set the Resolved field to False if solely resolved threats should be retrieved (i.e. setting to False will not include unresolved threats)\n* The Run Remote Script action may require starting a protected actions session to function properly. To do this, in the `code` input field, enter the passcode from a third-party app, such as Duo Mobile or Google Authenticator, set up in two-factor authentication. Entering the code is not required each time you run the action, because the session is valid for 30 minutes" +troubleshooting: +- "To generate an API key, create a new Service User or select an existing one with adequate permissions from the SentinelOne console" +- "To convert `threat` into an array use Type Converter Plugin" +- "For the Trigger settings, only set the Resolved field to False if solely resolved threats should be retrieved (i.e. setting to False will not include unresolved threats)" +- "The Run Remote Script action may require starting a protected actions session to function properly. To do this, in the `code` input field, enter the passcode from a third-party app, such as Duo Mobile or Google Authenticator, set up in two-factor authentication. Entering the code is not required each time you run the action, because the session is valid for 30 minutes" resources: source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/sentinelone license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE @@ -58,7 +62,7 @@ hub_tags: keywords: [sentinelone, endpoint, detection, cloud_enabled] features: [] version_history: - - "11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities" + - "11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities | Fix issue with URL input validation" - "11.1.2 - Resolve issue where unexpected timestamps returned from SentinelOne were not parsed in task `Monitor Logs` | Update plugin to be FedRAMP compliant" - "11.1.1 - Updated Plugin connection to improve `instance` input usability" - "11.1.0 - Added connection test for task `Monitor Logs` | Update SDK" diff --git a/plugins/sentinelone/setup.py b/plugins/sentinelone/setup.py index 4372ef72db..c6336ebd4e 100644 --- a/plugins/sentinelone/setup.py +++ b/plugins/sentinelone/setup.py @@ -4,7 +4,7 @@ setup(name="sentinelone-rapid7-plugin", version="11.1.3", - description="The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne", + description="[SentinelOne](https://www.sentinelone.com/) is a next-gen cybersecurity company focused on protecting the enterprise through the endpoint. The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne.This plugin utilizes the SentinelOne API, the documentation is located in the SentinelOne console.", author="rapid7", author_email="", url="",